Symantec Website Hack Exposes User Data

A hacker recently demonstrated how a SQL injection vulnerability in a Symantec Website could be exploited to reveal user data. Symantec says the vulnerability ony impacts customers in Japan and South Korea.

A Website operated by security firm Symantec was hacked - giving an attacker a sneak peak at sensitive customer data.The Romanian hacker known as Unu, who earlier this year uncovered a hole in a Website run by Kaspersky Lab, exploited a blind SQL injection problem to get his hands on clear-text passwords associated with customer records and other data.

Unu used sqlmap and Pangolin to demonstrate the vulnerability, and
published screenshots to his blog. According to Symantec, the
vulnerability was on its pcd.symantec.com site, which is used to
facilitate customer support for Symantec's Norton products inJapanand South Korea.

"At this time, we believe that this incident does not affect Symantec
customers anywhere else in the world," a Symantec spokesperson said
Nov. 24. "This incident impacts customer support inJapanand South Koreabut
does not affect the safety and usage of Symantec's Norton-branded
consumer products. Symantec is currently in the process
of ensuring that the Website is appropriately secured and will
bring it back online as soon as possible."According to Unu, his goal was not to cause harm, but to create a stir so the problem would be fixed."If you remember, in February, Kaspersky faced with
a sql injection," he blogged. "Then they had the courage to admit
vulnerability...There was fair play, they quickly secured vulnerable
parameter, and even if at first they were very angry at me, finally
understood that I did not extract (data), I saved nothing...My goal was,
what (it) is still, to warn. To call attention."Trend
Micro Advanced Threats Researcher Rik Ferguson said the incident serves
as a reminder to follow best practices when it comes to securing Web
applications. Sensitive data should never be stored in clear text, he blogged, and bounds checking of input data can help avoid buffer overflows and SQL injection attacks.